Botnet Traffic

John Kristoff jtk at cymru.com
Thu Feb 23 16:42:47 CST 2012


On Thu, 23 Feb 2012 18:17:38 -0400
"James Smith" <james at smithwaysecurity.com> wrote:

> Can anyone on this list provide botnet network traffic for analysis,
> or Ip’s which have been infected.

Hi James,

Normally few people are going to be unwilling to provide such a thing,
at least for live or recently active botnets to the general public.  In
essence, few people like to spread that sort of dirty laundry around to
anyone who comes asking in a public forum.

However, there is some public data available in various locations.  For
instance, the Dragon Research Group (DRG) provides some public data it
sees on the well known HTTP, VNC and SSH ports.  The SSH report is
primarily compiled from random SSH brute force spreading worms.

  <http://dragonresearchgroup.org/insight/>

Note, I'm one of the DRG volunteers.

You can browse around the SANS ISC reports and get an idea of what they
see from various hosts and networks too.

  <http://isc.sans.edu/reports.html>

I'm not involved with that organization.

Lenny Zeltser has a page detailing where you might get some sample
malware to research:

  <http://zeltser.com/combating-malicious-software/malware-sample-sources.html>

There are likely many other sources of info if you dig around,
but you may be better off asking in another forum where security,
rather than networking is the major theme.  Feel free to contact me off
list and I'll see if I can help introduce you to the appropriate venues.

John



More information about the NANOG mailing list